AWS User/Group Clean-up

timolegros commented 1 month ago

Description

Current state of AWS IAM

We have 4 users on AWS:

commonwealth-dev-3
commonwealth-prod
commonwealth-staging
timothee

We also have 2 user groups:

amazon-s3-full-access
- All 4 users from above are in this group
- Permissions on all buckets -> s3:GetObject and s3:ListBucket, s3:PutObject
Engineering
- Only my account (timotthee) is in this group
- Permissions:

Desired state of AWS IAM

Users:

Timothee
Roger
Kurtis
Ryan
local-dev
staging
demo
qa
production

User Groups:

Engineering
- Users: Timothee, Roger, Kurtis, Ryan, (remove AlexYoung)
- Permissions: add cloudwatch:ListMetrics, cloudtrail:DescribeTrails policies to existing permissions
production (replaces amazon-s3-full-access)
- Users: production
- Permissions: s3:PutObject, s3:GetObject, s3:ListBucket access on all production buckets (assets.commonwealth.im, sitemap.commonwealth, outbox-event-stream-archive, common-content)
local-development
- Users: local-dev, Timothee, Roger, Kurtis, Ryan
- Permissions: s3:PutObject, s3:GetObject, s3:ListBucket access on all buckets prefixed with local. or tagged with APP_ENV=local
remote-development
- Users: staging, demo, qa
- Permissions: TBD

S3 clean-up

Delete common-sitemap (superseded by sitemap.commonwealth.im))
Investigate possible deletion of common-wp, commonwealth-uploads, and discourse-dumps buckets

Additional context

jnaviask commented 1 month ago

The new users and groups have been created, but the old users have not yet been deleted. I have attempted to set up the permissions configuration for local development, but we will need to clean up the actual buckets to proceed here.

jnaviask commented 1 month ago

Deleted common-sitemap bucket.

timolegros commented 1 month ago

Confirmed that we will add remote-development buckets (naming TBD) that only the remote-development user group will have access to.

hicommonwealth / commonwealth